('binary' encoding is not supported, stored as-is) <TITLE>MSIE:"SaveRef" turns Zone off</TITLE> [digest] MSIE: you can execute jscript in any zone by saving the reference of "(NewWindow).location.assign". (content after the "[exp]" section is not directly related to the flaw, so skip it if you are in a hurry;) [tested]MSIEv6(CN version) {IEXPLORE.EXE file version: 6.0.2600.0000} {MSHTML.DLL file version: 6.00.2600.0000} Win98 [demo] at http://www16.brinkster.com/liudieyu/SaveRef/SaveRef-MyPage.htm or clik.to/liudieyu ==> SaveRef-MyPage section. [exp] javascript-protocol URL can cause CSS at client side, so microsoft blocked "(NewWindow).location.assign" method(there is no other explanation at all). but we can save the reference(mostly the same as 'pointer' in C) of "(NewWindow).location.assign" when we can access it, then we can access it forever -- regardless of NewWindow's zone, which means we can execute jscript in any zone. simple, that's all. [BTW] thanx to : 0. all knowledge bases 1."dror shalev", without his "Who Framed IE" demo at http://drorshalev.brinkster.net/dev/Search and his words, i wouldn't have discovered this flaw.(both "SaveRef" & "Who Framed IE" hurt microsoft's heart -- OOP/COM/DCOM ;) 2."the Pull", his words at http://home.austin.rr.com/wiredgoddess/thepull/UnorthodoxBugFinding.txt are inspiring&practical. [apology] i am always late for online issues because of everything around me( one example is my parents), but i've never been absent;) [contact] liudieyuinchinaat_private or clik.to/liudieyu ===> "how to contact liu die yu" section
This archive was generated by hypermail 2b30 : Tue Oct 01 2002 - 15:24:56 PDT